Creating a JIRA shouldn't be too painful making use of GitHub Actions.
We should be able to trigger this whenever a dependabot PR is created.
It does add an extra dependency on GitHub, but if we're using
dependabot, we have that anyway.
--
Michael Mior
mm...@apache.org
Le lun. 14 oct. 2019 à
I guess the missing bit is the bot that automatically creates JIRA for
Dependabot issues.
What if we create one?
Vladimir
I've been using Dependabot on my fork of a few Apache repos (including the
Calcite related ones [1][2][3]) for over a year now. I had to configure
dependabot to point to these repositories. It is a nice reminder of all the
different dependencies that can be updated. There is also a nice link to
+1 to squashing all these changes during a release. However, my only
concern is that if upgrading the dependencies during a release breaks
something in the codebase and turns into a larger change. I think in
this case, the change should not be squashed with the other commits and
be a
I’ve not looked at the PRs but they sound useful. Keeping software secure these
days is a moving target; we have to do work just to keep up. All of our
dependencies are doing that work too, and so we need to keep up to date with
them.
I think it would be useful to have a task before each
Why would we not merge those PRs or even disable the whole thing ?
On Fri, Oct 11, 2019 at 12:09 AM Francis Chuang
wrote:
> Dependabot is a bot on Github that opens PRs to automatically upgrade
> out of date dependencies to fix security issues. Recently, Github
> acquired dependabot and is
Dependabot is a bot on Github that opens PRs to automatically upgrade
out of date dependencies to fix security issues. Recently, Github
acquired dependabot and is gradually enabling the bot on all repositories.
It just opened a PR to upgrade a few dependencies in the Avatica
repository: